Jump to content


Photo

Adding encryption to a website.


  • Please log in to reply
4 replies to this topic

#1 DarkHavn

DarkHavn
  • Members
  • PipPipPip
  • Advanced Member
  • 69 posts

Posted 20 September 2006 - 09:32 PM

Was just wondering your regards and feedback on this one.

Things like ssl on a webpage, 128bit encryption on websites that handle sensitive data like credit card numbers and such.

Do you guys prefer, or recomend anything?

Should i rely on php for this, or something else?

Just thought i would get some feedback on this before i go ahead with anything.

Cheers

#2 markbett

markbett
  • Members
  • PipPipPip
  • Advanced Member
  • 133 posts

Posted 20 September 2006 - 09:40 PM

ssl isnt a feature of php its something that runs on the webserver

#3 DarkHavn

DarkHavn
  • Members
  • PipPipPip
  • Advanced Member
  • 69 posts

Posted 20 September 2006 - 09:43 PM

Lol, sorry should of been more descriptive of what i was meaning, Yeah ssl is apart of the server that is running apache or depending on your flavour.

Guess what i was truley meaning is, is there any means or methods you guys recomend of encryption via php if that is possible at all?

#4 AdRock

AdRock
  • Members
  • PipPipPip
  • Advanced Member
  • 911 posts

Posted 20 September 2006 - 11:19 PM

I encrypt passwords using md5
If your topic has been solved, please mark the topic as SOLVED.

This helps others from identifying which topics need help still

#5 tomfmason

tomfmason
  • Staff Alumni
  • Advanced Member
  • 1,696 posts
  • Locationstealing your wifi

Posted 21 September 2006 - 12:21 AM

I am suprised that this has not be posted before. Normaly when it comes to a question in reguards to security, of any kind, there are a thousand posts.

There are a couple ways of encrypting the sensitive data. here is an example function that would encrypt the data before passing it to a database.

<?php
$cc_number = "0000000000000000";

function encryptData($data) {
      $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
      $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
      $key = "your_key";

      $crypttext = mcrypt_encrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
      return $crypttext;
}

$encypted_cc = encryptData($cc_number);

// now you can pass the encrypted data to the db


// and here is a function for decrypting the data.

fuction decryptData($data) {
       $iv_size = mcrypt_get_iv_size(MCRYPT_RIJNDAEL_256, MCRYPT_MODE_ECB);
       $iv = mcrypt_create_iv($iv_size, MCRYPT_RAND);
       $key = "your_key";
       $decrypted_data = mcrypt_decrypt(MCRYPT_RIJNDAEL_256, $key, $data, MCRYPT_MODE_ECB, $iv);
       return $decrypted_data;
}

//here is a simple sql call to get the encrypted cc number
$sql = mysql_query("SELECT * FROM `your_table` WHERE `something` = '$something'");

while ($rw = mysql_fetch_assoc($sql)) {
     $cc_number = decyptData($rw['cc_number']);
}
?>

Now as far as the key goes. I randomly generate a key and then on a couple of random days each month I decrypt all of the encrypted data in the db and then encypt it again with a new random key. I then store the key in another function.

This may be over kill but what the hell, I am responsible for that data. So I will try my best to secure it to the best of my ability.

I hope that this helps.

If anyone has any suggestions on a better way to encrypt the data or a fault in my script, please feel free to reply.

Thanks,
Tom

Traveling East in search of instruction, and West to propagate the knowledge I have had gained.

current projects: pokersource

My Blog | My Pastebin | PHP Validation class | Backtrack linux





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users